We have multiple sub-accounts that aggregate their cloudtrail data into a single S3 bucket stored at the master account level.
What, if any, SQS and SNS configurations need to be done at the sub-account level? Or, is it only defined for the master account?
Hey Larry,
I doing this same thing, Aggregating CloudTrail for ingest via S3. Rather than using the CloudTrail input type with the SQS queue name I'm using the S3 input on the bucket. Simplifies deployment a lot, but you have to keep in mind that the events will only be as up to date as your S3 polling interval.
You'll need a modular input instance per queue. I don't think the bucket aggregation will matter, though it might make permissions more entertaining.
This answer was assuming that you would manually aggregate several CloudTrail accounts so that you get a separate XML file from each account's events. However, if you've linked the accounts to each other you'll actually get a single XML file per period with multiple accounts and multiple events in it. Add-on for AWS version 1.1.1 was just posted Thursday and supports this scenario.